Malware Analysis Report

2025-01-02 06:41

Sample ID 240515-wrm4cscg7t
Target 0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47
SHA256 0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47

Threat Level: Known bad

The file 0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 18:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 18:09

Reported

2024-05-15 18:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\system32\cmd.exe
PID 2872 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\system32\cmd.exe
PID 4504 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4504 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2872 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\rss\csrss.exe
PID 2872 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\rss\csrss.exe
PID 2872 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\rss\csrss.exe
PID 2488 wrote to memory of 1320 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1320 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1320 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 3296 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 3296 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 3296 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2488 wrote to memory of 1656 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1456 wrote to memory of 5056 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 5056 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 5056 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5056 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 5056 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe

"C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe

"C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 9400fbef-ce4d-47fe-bbea-94c3fcbe4019.uuid.localstats.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server2.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server2.localstats.org tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.111:443 server2.localstats.org tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
BG 185.82.216.111:443 server2.localstats.org tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/1640-1-0x0000000004780000-0x0000000004B7F000-memory.dmp

memory/1640-2-0x0000000004B80000-0x000000000546B000-memory.dmp

memory/1640-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2272-4-0x00000000003F0000-0x000000000045D000-memory.dmp

memory/2272-5-0x0000000002A70000-0x0000000002AA6000-memory.dmp

memory/2272-6-0x0000000005200000-0x0000000005828000-memory.dmp

memory/2272-7-0x00000000051A0000-0x00000000051C2000-memory.dmp

memory/2272-8-0x00000000059A0000-0x0000000005A06000-memory.dmp

memory/2272-9-0x0000000005A10000-0x0000000005A76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2xcn1doa.4nd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2272-19-0x0000000005A80000-0x0000000005DD4000-memory.dmp

memory/2272-20-0x0000000006040000-0x000000000605E000-memory.dmp

memory/2272-21-0x00000000060F0000-0x000000000613C000-memory.dmp

memory/2272-22-0x00000000065A0000-0x00000000065E4000-memory.dmp

memory/2272-23-0x0000000007380000-0x00000000073F6000-memory.dmp

memory/2272-24-0x0000000007A80000-0x00000000080FA000-memory.dmp

memory/2272-25-0x0000000007420000-0x000000000743A000-memory.dmp

memory/1640-26-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2272-27-0x00000000075E0000-0x0000000007612000-memory.dmp

memory/2272-28-0x0000000070B50000-0x0000000070B9C000-memory.dmp

memory/2272-29-0x00000000712D0000-0x0000000071624000-memory.dmp

memory/2272-39-0x0000000007620000-0x000000000763E000-memory.dmp

memory/2272-40-0x0000000007640000-0x00000000076E3000-memory.dmp

memory/2272-41-0x0000000007720000-0x000000000772A000-memory.dmp

memory/2272-42-0x00000000077E0000-0x0000000007876000-memory.dmp

memory/2272-43-0x0000000007740000-0x0000000007751000-memory.dmp

memory/2272-44-0x0000000007780000-0x000000000778E000-memory.dmp

memory/2272-45-0x0000000007790000-0x00000000077A4000-memory.dmp

memory/2272-46-0x0000000007880000-0x000000000789A000-memory.dmp

memory/2272-47-0x00000000077C0000-0x00000000077C8000-memory.dmp

memory/2272-50-0x00000000003F0000-0x000000000045D000-memory.dmp

memory/1640-52-0x0000000004780000-0x0000000004B7F000-memory.dmp

memory/1640-53-0x0000000004B80000-0x000000000546B000-memory.dmp

memory/1640-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1640-54-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3172-65-0x0000000070B50000-0x0000000070B9C000-memory.dmp

memory/3172-66-0x00000000712D0000-0x0000000071624000-memory.dmp

memory/3172-76-0x0000000006CB0000-0x0000000006D53000-memory.dmp

memory/3172-77-0x0000000006FE0000-0x0000000006FF1000-memory.dmp

memory/3172-79-0x0000000007030000-0x0000000007044000-memory.dmp

memory/2872-78-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3668-92-0x0000000005990000-0x0000000005CE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d4b59db8c3bf782de5b0fe76b6b96a6
SHA1 d5cc0563ff8715c2ac8613b764d36f3ba0a1bdd5
SHA256 937ac811eba7c9227133a4e76184d65abf9bc57e21edfc76f114613d5d8af051
SHA512 bf836f1031320e90333816a205fcdd8f26c10a7f17ae8c1bff693d027cd3c90e1dde349be410d3d38b3b487d0a3641a73dcdfb8bc75ee441193352eb943848db

memory/3668-94-0x0000000070B50000-0x0000000070B9C000-memory.dmp

memory/3668-95-0x0000000070CD0000-0x0000000071024000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 db94c44a4deb394a900c0b4e3ae6c7a0
SHA1 930c47e23878e40b36d8ccd5f030bd08e908aa7f
SHA256 5157450433ab2deefeb72e67638a2d514d057edb209160e2aca8022172bdbd69
SHA512 35c37d896bce8d19d01b7ac6162f52da1a24717cef339502b387c7efcc49d0a9bfb491ae1513a07d8a1de97b46187a7076c4fd9c45bbae4ccf5090fd521c0eb4

memory/1428-118-0x0000000070CD0000-0x0000000071024000-memory.dmp

memory/1428-117-0x0000000070B50000-0x0000000070B9C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b3461f483961ad4f068cdf5f5158212f
SHA1 3068310452cb36a61915636d993dc850ffcd1cf4
SHA256 0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47
SHA512 7ea14b89dcc09a82a88ada8e83bcc8870931c54b770ff7adb410533b5a748dc26f1836182e7c275902d4f2ca88ff7eb250270bf5296849fa9fb88025c576bec6

memory/2872-134-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1320-145-0x0000000005C90000-0x0000000005FE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 09785fa72cc1a054617c31a581632dfe
SHA1 326c784769f1a592807b0e0ac703b727672cc41f
SHA256 d4dd9b58ec8bb4aae5a3050f1585415c85570c4efc521ddcacbf9d382e407211
SHA512 9f1f9e7bb0ea3ec33f00ab679758faa6bf63dfc57c22cd2e0aca2c812659ab72e4d383c37b01edbe40235dae433d64049979a421b088f78c8f76c593ebae1199

memory/1320-147-0x0000000070B50000-0x0000000070B9C000-memory.dmp

memory/1320-148-0x00000000712B0000-0x0000000071604000-memory.dmp

memory/2488-159-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1476-161-0x00000000059A0000-0x0000000005CF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6607dbf3ff05b7cb3d73e53435e96175
SHA1 5b5d58b5fa87bfa24aff1a74baa2bb770a2f7ef7
SHA256 3881337bc62c7ccc16c4194fe9b165cc74a99cdca2978dc3dd0f5564d0484a55
SHA512 52c9792f6a8847dca8906eace263e9da81f6401cccdf61ce0733173f31b192a9528615ef46fe70cca8e80b1ef2e3d58b4338aec7207d413ff4aa0591d47272e6

memory/1476-172-0x0000000006460000-0x00000000064AC000-memory.dmp

memory/1476-174-0x0000000071200000-0x0000000071554000-memory.dmp

memory/1476-173-0x0000000070A70000-0x0000000070ABC000-memory.dmp

memory/1476-184-0x0000000007350000-0x00000000073F3000-memory.dmp

memory/1476-185-0x0000000007680000-0x0000000007691000-memory.dmp

memory/1476-186-0x0000000005EE0000-0x0000000005EF4000-memory.dmp

memory/3296-197-0x0000000005EB0000-0x0000000006204000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1e2a1225d645f4eb8e31fe486680dca1
SHA1 4bb2019db45328424bbb1c336e1d58ebb7e475e3
SHA256 6c7728d748fdcec1600c340b3babf5777c0de346373b35348566f311266d87bc
SHA512 f83b110ce857de675844a062fae49ad5d47d3d6e3dff8dd746a9dd703b97b3c18741af9ae9e4fe30a446bfb3f86a4a8b5ad6b11889fb888aeab28d6508a269fe

memory/3296-199-0x0000000070A70000-0x0000000070ABC000-memory.dmp

memory/3296-200-0x0000000070BF0000-0x0000000070F44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2488-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1456-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4040-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1456-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2488-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4040-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2488-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4040-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2488-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-246-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-248-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-256-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-262-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 18:09

Reported

2024-05-15 18:12

Platform

win11-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 640 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 640 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 640 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 640 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\system32\cmd.exe
PID 640 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\system32\cmd.exe
PID 5100 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5100 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 640 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 640 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 640 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 640 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 640 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 640 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 640 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\rss\csrss.exe
PID 640 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\rss\csrss.exe
PID 640 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe C:\Windows\rss\csrss.exe
PID 1036 wrote to memory of 3168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 3168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 3168 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 1708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 1708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 1708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 4480 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 4724 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1036 wrote to memory of 4724 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 988 wrote to memory of 1292 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 1292 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 1292 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1292 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1292 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe

"C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe

"C:\Users\Admin\AppData\Local\Temp\0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 557cb47d-b257-44ff-b9db-47ae5194cd1f.uuid.localstats.org udp
US 8.8.8.8:53 server2.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
N/A 127.0.0.1:3478 udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server2.localstats.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server2.localstats.org tcp
US 52.111.227.11:443 tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.111:443 server2.localstats.org tcp

Files

memory/1912-1-0x0000000004890000-0x0000000004C97000-memory.dmp

memory/1912-2-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/1912-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2312-4-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

memory/2312-5-0x00000000032F0000-0x0000000003326000-memory.dmp

memory/2312-6-0x0000000074A30000-0x00000000751E1000-memory.dmp

memory/2312-7-0x0000000005AF0000-0x000000000611A000-memory.dmp

memory/2312-8-0x0000000074A30000-0x00000000751E1000-memory.dmp

memory/2312-9-0x0000000005A10000-0x0000000005A32000-memory.dmp

memory/2312-10-0x0000000006220000-0x0000000006286000-memory.dmp

memory/2312-11-0x0000000006290000-0x00000000062F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_beauw3dr.qf0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2312-17-0x0000000006300000-0x0000000006657000-memory.dmp

memory/2312-21-0x00000000067E0000-0x00000000067FE000-memory.dmp

memory/2312-22-0x0000000006860000-0x00000000068AC000-memory.dmp

memory/2312-23-0x0000000006D50000-0x0000000006D96000-memory.dmp

memory/1912-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2312-28-0x0000000074A30000-0x00000000751E1000-memory.dmp

memory/2312-27-0x0000000070EB0000-0x0000000071207000-memory.dmp

memory/2312-26-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/2312-25-0x0000000007BD0000-0x0000000007C04000-memory.dmp

memory/2312-37-0x0000000007C30000-0x0000000007C4E000-memory.dmp

memory/2312-38-0x0000000007C50000-0x0000000007CF4000-memory.dmp

memory/2312-39-0x0000000074A30000-0x00000000751E1000-memory.dmp

memory/2312-41-0x0000000007D80000-0x0000000007D9A000-memory.dmp

memory/2312-40-0x00000000083C0000-0x0000000008A3A000-memory.dmp

memory/2312-42-0x0000000007DC0000-0x0000000007DCA000-memory.dmp

memory/2312-43-0x0000000007ED0000-0x0000000007F66000-memory.dmp

memory/2312-44-0x0000000007DE0000-0x0000000007DF1000-memory.dmp

memory/2312-45-0x0000000007E30000-0x0000000007E3E000-memory.dmp

memory/2312-46-0x0000000007E40000-0x0000000007E55000-memory.dmp

memory/2312-47-0x0000000007E90000-0x0000000007EAA000-memory.dmp

memory/2312-48-0x0000000007EB0000-0x0000000007EB8000-memory.dmp

memory/2312-51-0x0000000074A30000-0x00000000751E1000-memory.dmp

memory/1912-53-0x0000000004890000-0x0000000004C97000-memory.dmp

memory/1912-54-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/1912-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1912-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2880-65-0x0000000005640000-0x0000000005997000-memory.dmp

memory/2880-66-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/2880-67-0x0000000070E20000-0x0000000071177000-memory.dmp

memory/2880-76-0x0000000006CB0000-0x0000000006D54000-memory.dmp

memory/2880-77-0x0000000006FF0000-0x0000000007001000-memory.dmp

memory/2880-78-0x0000000007040000-0x0000000007055000-memory.dmp

memory/640-79-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 65636ad8478e0fc4322083c26f7fc48d
SHA1 b9b89ed57489097e60ebee7f288da23b3eda9a20
SHA256 e17fc50fac6adae6972ff5ff25b9bd5c9b5ca7472948b3cdd2c731d1e7dd2a6c
SHA512 e8ea3862c7d7bf67d2effcccf82cc35ec23ab6590acd662f3ebf1b600d5f5155d45193098bd87c146019dea869d9a8af8594e217ffe23395b471875104b8daaf

memory/2700-92-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/2700-93-0x0000000070E20000-0x0000000071177000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 72ad4d12501afa6999375d546f799fd6
SHA1 80899dfd52e015d96916bc623ff9c6d4cdf3c47c
SHA256 4b0d60cc2f17b401c0315a8af8333486ae9730e09e9dee810af7b5fb38b02726
SHA512 6b79a1d09c116a0e7492b535dc63e643f130e99c17a66032f6a1e3eddb63d8b9f1750ae314fff50401155847123322071ba9aaa0e525da6cc013f85bce0b7df8

memory/1956-113-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/1956-114-0x0000000070EB0000-0x0000000071207000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b3461f483961ad4f068cdf5f5158212f
SHA1 3068310452cb36a61915636d993dc850ffcd1cf4
SHA256 0cf4eb0dafb7c2d60971a3d2f2444b719ac3531882385d20d7456fb91e0d4d47
SHA512 7ea14b89dcc09a82a88ada8e83bcc8870931c54b770ff7adb410533b5a748dc26f1836182e7c275902d4f2ca88ff7eb250270bf5296849fa9fb88025c576bec6

memory/640-127-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ac49dc5686b46db0a91d8c702b112372
SHA1 c71eeef2ad4b59cefe490fd916b528f1bf8d7ead
SHA256 5394ee8153c3a29f4031e50023e86241e0b2ebecfad406687dc3d438414bf60b
SHA512 81f0c346d7f6ee1d24735ee3f47c3a060b28e8f04b0262ff126deb031ab2898f06a853cbe244cccc213392e20435de2a4621e708a6c8fec53b9ebe4a290e14c6

memory/3168-141-0x0000000070E20000-0x0000000071177000-memory.dmp

memory/3168-140-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

memory/1708-156-0x0000000005AF0000-0x0000000005E47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5b52fd198d6642557b2ee0ab9fd9e76e
SHA1 cf255f2dad95ac8292725d461492004b004e7ca0
SHA256 3ef575884b79c7601f8e69f80bfaa99efe0697e03dcb4ff72edaf63519d22055
SHA512 a774f8aa9a17f7c2b14e47234e13f783bc6e3c6cc1ec16a2c3057d200e5b5ba0564f9a8c2c84891473eb9f7136d9859561aab994ee8d5ae5f761bbd34bbe6176

memory/1708-161-0x00000000060B0000-0x00000000060FC000-memory.dmp

memory/1708-162-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/1708-163-0x0000000070DD0000-0x0000000071127000-memory.dmp

memory/1708-172-0x00000000072B0000-0x0000000007354000-memory.dmp

memory/1708-173-0x0000000007600000-0x0000000007611000-memory.dmp

memory/1708-175-0x00000000059F0000-0x0000000005A05000-memory.dmp

memory/4480-185-0x0000000006480000-0x00000000067D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4f068cdbddd36f2717124060c2edf255
SHA1 3bf0aaff5258cfd31344e9fbb0108b7af6a76caf
SHA256 e020a8a0735366592d805dad420221b907ef84c96e59b70bf43afbe82f403f3a
SHA512 287c1b9e8bad198fff085954bcdd224099732f5a5ef9efdd16eb79ac7494a2c6c45a4e2a2b207c9fa06b7fb5847f6a8f0d2d571fd6e9f5bb4f137927c39f7416

memory/4480-187-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/4480-188-0x0000000070D40000-0x0000000071097000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1036-203-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/988-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5060-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/988-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1036-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5060-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1036-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1036-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5060-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1036-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1036-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1036-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1036-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1036-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1036-238-0x0000000000400000-0x0000000002B0B000-memory.dmp